Opinion of 15 December 2008 on the notification for prior checking regarding the optional "Leadership Feedback" procedure established by the European Administrative School ("EAS") in connection with its management courses (Case 2008-527)
This opinion concerns an optional "Leadership Feedback" procedure established by the EAS in connection with its management courses.
EAS, as part of its mandate, organizes management courses for Commission officials and officials of other European institutions and bodies. In connection with each management course, EAS offers participants an opportunity to receive anonymous feedback about their management skills from other participants.
EAS outsourced the provision of management courses to a private company established in a European Union Member State. This company, in turn, outsourced the organization of the Leadership Feedback procedure to another private company, also established in a European Union Member State. EAS has, itself, no access to any data processed during the procedure. The outsourced processor organizes and manages the feedback procedure. In particular, it makes available to participants a secure website tool to collect feedback, aggregates feedback into reports (while the anonymity of those providing feedback is ensured), and provides each participant with a report regarding the group's feedback on his/her own management skills. Participants, if they so wish, may also complete a questionnaire assessing their own management skills and may also allow access to the feedback information to their trainers.
The recommendations of the EDPS include the following:
The contract between EAS and its direct subcontractor, which already contains a data protection clause, should also include that (i) subcontractor is obliged to ensure that all its direct and indirect subcontractors will undertake the same obligations in writing and that (ii) the choice of the subcontractor’s direct or indirect subcontractors is subject to the approval of EAS, which can be withheld in case the security of the data or maintenance of other data protection safeguards are not ensured.
In addition to the detailed privacy statement on the EAS website, at least the following minimum information should also be provided among the printed materials in the information package: (i) the feedback procedure is entirely optional and anonymous, (ii) all data are processed solely for the purposes of providing feedback, (iii) data will be deleted within 2 months, and (iv) all data are processed by subcontractors and that EAS or others within the Institutions have no access to any data.
Opinion of 17 June 2009 on a notification for prior checking regarding the selection of middle management staff and advisers in the Commission (Case 2008-751)
DG ADMIN organizes and manages the selection process of middle management staff and advisers in the Commission in order to select the best suited candidates for a particular position. In order to select the best suited candidates, applicants have to follow various procedures (interviews with pre-selection panel, interview of shortlisted with the Director General and the Rapporteur, in some cases, opinion of the Consultative Committee on Appointments, etc). Such procedures entail the collection and further processing of candidates' personal data for the purposes of evaluating their competences for a given position.
In his opinion, the EDPS concluded that the DG ADMIN has substantially followed all the principles of the Regulation. Nevertheless the EDPS recommended, among others, that DG ADMIN:
Opinion of 19 May 2009 on the notification for prior checking regarding the processing of personal data in DG ENTR Entreprise Data Warehouse (Case 2008-487)
The DG ENTR Data Warehouse (EDW) is a system in charge of retrieving data from multiple data sources (ABAC, COMREF, SYSLOG and DG ENTR's in-house financial data). The main goal is to provide managers with powerful reports presenting metrics of performance, like the 'Scoreboard' report, at destination of the Head of Units, Directors and Director General.
The EDPS examined the processing in the light of the legal requirements of Regulation (EC) 45/2001 and concluded that there was no breach of the Regulation provided certain recommendations are taken into account and notably:
Opinion of 18 May 2009 on the notification for prior checking on the "Mediation Service of the European Commission" (Case 2009-010)
The European Commission has a Mediation Service which provides impartial advice to each official, servant or department that consults it. That Service intervenes if a case is submitted to it by an individual or a Commission department and may hear the persons concerned and request information from the Commission departments concerned. The role of the Mediation Service is to reconcile the administration and the staff. It makes recommendations and gives opinions, but has no power of decision.
The EDPS has examined the processing of personal data in managing absences owing to illnesses and has concluded that it does not seem to involve any infringement of the provisions of Regulation (EC) No 45/2001, provided that certain recommendations are implemented, in particular that the competent department checks the appropriateness of the transfer on a case by case basis and ensures that only relevant data are transferred; reminds data recipients that they may process the data they receive only for the purposes for which they are transmitted; applies the right of access and rectification to anyone whose personal data are processed; makes the specific confidentiality statement available on the Commission intranet site, and, if necessary, informs other persons whose data are being processed.
Opinion of 10 January 2008 on a notification for prior checking on "AGS-EDV Database at JRC-ITU in Karlsruhe" (Case 2007-378)
The Radioprotection Service of the JRC Institute for Transuranium Elements (ITU) in Karlsruhe processes health related data of occupationally exposed workers and visitors in accordance with the respective legal obligations laid down in the German Ionising Radiation Protection Regulation implementing Euratom Directives 96/29 and 90/641. The processing operations concern the handling of personal radiation data coming from internal and external dosimetry measurements by two external research centres, as well as the management of the respective database set to detect overexposure to the ionising radiation risks.
The EDPS recommendations provided in this opinion aim to ensure the full compliance with the Regulation 45/2001 and concern, in particular, the information to be provided to the data subjects, as well as the necessity to comply with the confidentiality and security obligations by all subjects involved in this data processing.
Opinion of 7 May 2009 on notifications for prior checking of certain Community agencies concerning the "Staff recruitment procedures" (Case 2009-287)
It is the first time that the EDPS carries out such a challenging exercise in examining 14 notifications, with their cover letters regarding each agency's processing operations, at the same time. The EDPS analysed each agency's practice regarding each principle of data protection stated in the Regulation and evaluated whether each agency followed the EDPS Guidelines or not. In view of the similarities of the procedures, and of some similarities as presented by some agencies in terms of data protection practices, the EDPS decided to examine all notifications in the same context and issue one joint opinion. The EDPS in his joint opinion underlines an agency's practice which does not seem to be in conformity with the principles of the Regulation as well as with the EDPS Guidelines and provides the agency(ies) concerned with a relevant recommendation. Some good practices are also pointed out in the joint opinion.
The data subjects concerned are permanent staff, temporary agents, contract agents, national experts and trainees. The processing operations under examination are subject to prior-checking in conformity with Article 27(2)(b) of Regulation 45/2001, since they involve an evaluation of the applicants’ ability to perform the job functions for which the selection and recruitment procedures have been organized. Some of these processing operations might also involve the processing of data related to health (collection of medical certificate or disability data) as well as to criminal offences (collection of criminal record), which constitutes an additional ground for prior-checking in the light of Article 27(2)(a) of the Regulation.
The procedure towards this joint opinion seems to have been beneficial to the agencies concerned as well, because on one hand it allowed them to compare data protection practices adopted within each agency and on the other hand it made them reconsider their practices in the light of the EDPS recommendations. Indeed, the EDPS notes that most of the agencies seem to have adopted their data protection practices following the EDPS Guidelines and the provisions of Regulation 45/2001.
In analysing the DPOs' remarks on the draft opinion sent to them for comments, the EDPS finds it necessary however to underline that the mere intention or confirmation stated by the DPO of an agency that a specific data protection practice will be applied in conformity with the EDPS Guidelines and recommendations is not sufficient for the implementation of the EDPS recommendations. Instead, concrete measures are required. Consequently, the controller of each agency concerned is now invited to adopt specific and concrete measures in order to implement the EDPS recommendations regarding staff recruitment procedures carried out by each agency. This implies that in the context of the follow-up each agency should send to the EDPS all relevant documents which can show that the EDPS recommendations were actually implemented.
Opinion of 17 October 2011 on the notification for prior checking concerning "Selection of participants to (internal/external) learning and development actions" (case 2011-0627)
Selection of participants to (internal/external) learning and development actions - EC
This prior checking Opinion deals with selection of participants to (internal/external) learning and development actions.
The purpose of the processing is to organise and manage the selection process of candidates who intend to take part in learning and development actions (internal or external) requiring specific pre-requisite and/or with limited number of places available (i.e. information programme in Member States, Fellowship programme, HR professionalization programme).
In his conclusions, the EDPS underlined that the data controller should consider reviewing its retention periods in line with the comments and that the recipients should be reminded of their obligations in the light of Article 7(3).
Opinion of 30 March 2009 on the notification for prior checking regarding structural trainees (Case 2008-760)
Under Commission Decision C(2008)866, officials from the public administrations of Member States, EFTA countries, candidate countries, non-member countries and intergovernmental organisations (IGOs) may apply for traineeships at the European Commission as part of their professional training. The European Commission has organised a data processing operation in order to select these trainees, who are called "structural trainees" (also "national experts") .
That processing operation complies with Regulation (EC) No 45/2001, provided that certain number of measures are applied, in particular: adopting an appropriate period for the storage of data; communicating sensitive data on a strictly need-to-know basis; ensuring that applicants have full access to the data relating to them during the selection procedure, and informing the trainees accepted for a Commission traineeship that their data will be further processed during the administration of their personnel files.
Opinion of 10 March 2009 on the notification for prior checking concerning the "end-of-probation procedure" case (Case 2008-720)
The aim of the processing operation under examination is to evaluate the performance of the official or other staff member in order to decide whether to grant establishment of the official, keep the temporary or contract staff member in their post, or to extend the probationary period. To this end, a probation report is drawn up. The probation report may also be used in the context of the data subject's staff assessment.
The EDPS has examined the proposed processing operation and has recommended in particular that measures be taken to ensure that only data which are strictly necessary to justify a possible extension of the probationary period appear in the probation report, i.e. only general data and data without any medical details can be mentioned in the box provided for this purpose in the probation report; that the Commission should assess whether the probation report should be kept in Sysper2 on the grounds that the data should only be kept for the period of time strictly necessary for the established purposes; and that, in the interest of transparency, the controller should inform the data subjects that, even if the data are not kept by ADMIN A4 in the event of a positive report or in the absence of a dispute, certain data are nevertheless kept in the data subject's personal file. The length of time the data are stored in the personal file should also be stated.
Opinion of 15 December 2008 on a notification for prior checking regarding the database ARDOS (Case 2007-380)
The Security Service of the Joint Research Centre (JRC) at Ispra put in place a processing operation called "nulla osta". The purpose of the "nulla osta" procedure is to ascertain and confirm a selected candidate's good conduct. Information collected through this procedure is stored in a database called ARDOS with all documents requested by and presented to the Security Service of the JRC Ispra. It has to be noted that the "nulla osta" processing operation concern the candidates of all JRC sites except Karlsruhe.
The EDPS examined the processing operation and in particular the legal basis provided by the JRC Ispra to conduct such assessment of the candidate's good conduct. The EDPS concluded that the processing operation appears to be in breach of the provisions of Regulation (EC) No 45/2001 unless a clear legal basis is identified, produced or established by the institution. Indeed the processing operation described by the Security Service goes far beyond a checking of the candidate's good conduct, notably by collecting excessive and non relevant data (data quality principle).
The EDPS moreover recommended that in order to ensure compliance with the Regulation, the JRC Ispra should made several amendments to the privacy statement to fully respect the information that should be given to the data subject following Article 12 of the Regulation. The EDPS also insisted on the fact that the retention period foreseen by the institution should be implemented as soon as possible.
Opinion of 4 December 2008 on a notification for prior checking regarding the "Coordination of medical, psychosocial and administrative support (COMPAS)" (Case 2008-428)
The European Commission designed a system called "Coordination of medical, psychosocial and administrative support" (COMPAS) to coordinate in a multi-disciplinary fashion the provision of help to staff in active employment. COMPAS will be a counselling facility designed to help individuals who are encountering serious health problem or serious social difficulties due to private or professional reason which interferes with their presence or performance at work. The system is based on the ad- hoc cooperation of several services within the European Commission. In principle COMPAS can only be seized for cases meeting certain criteria where all other single-service solutions and procedures have been properly tackled and exploited beforehand without success. The categories of concerned data subjects are officials and agents who are covered by the Staff Regulations and who encounter serious health problems or serious social difficulties. COMPAS will affect broad categories of personal data which will be used by the services in the interdisciplinary approach: administrative, medical and/or social data.
The EDPS analysis of the processing operations lead to a number of recommendations ensuring that the planned system will be in full compliance with Regulation 45/2001, inter alia: The COMPAS procedure should be run only with the express consent of the staff member concerned. Appropriate measures should be put in place to ensure that all working documents, not needed to be annexed to a COMPAS file, are destroyed by the persons involved from the concerned services once a case is closed. The right of access of the person concerned to his/her file also should include the right to take copies of the data related to him/her. The content of the privacy statement should be revised as to the legal basis and the categories of data recipients. COMPAS should make clear distinction related to the professional secrecy obligation of medical doctors/psychologist and any other professional involved in the COMPAS procedure. Measures should be put in place to ensure those principles.